18:02:07 <morganfainberg> #startmeeting Keystone 18:02:07 <openstack> Meeting started Tue Nov 18 18:02:07 2014 UTC and is due to finish in 60 minutes. The chair is morganfainberg. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:08 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:02:10 <openstack> The meeting name has been set to 'keystone' 18:02:12 <bknudson> hi 18:02:17 <lbragstad> I was guilty of that last year... 18:02:26 <ayoung> poor jamielennox probably will get an alarm clock wake up in 1 hour 18:02:27 <morganfainberg> Welcome back! Hope people had a good summit and a nice week since the summit 18:02:28 <lbragstad> I feel accomplished that I remember 18:02:49 <marekd> dolphm reminded of that yesterday 18:03:01 <morganfainberg> #topic Stable Maintenance Liaison 18:03:07 <morganfainberg> #link https://wiki.openstack.org/wiki/CrossProjectLiaisons#Stable_Branch 18:03:23 <bknudson> I'd be willing to sign up for this since we kind of need it 18:03:27 <morganfainberg> While I can do this, I would prefer to have someone else to also rely on. 18:03:58 <ayoung> #startvote Nominate bknudson 18:03:58 <openstack> Only the meeting chair may start a vote. 18:03:59 <dolphm> i'm on board as well 18:04:05 <lbragstad> bknudson: is the liaison of liaisons 18:04:13 <bknudson> dolphm's got 2 already 18:04:20 <morganfainberg> haha 18:04:23 <dolphm> #winning 18:04:32 <morganfainberg> i'll let you guys figure out which one will do it. 18:04:38 * ayoung winning by not having to be stable liason 18:04:58 <morganfainberg> #action dolphm or bknudson as stable liason. They'll battle it out - mad max style to see who gets it. 18:05:35 <dolphm> bknudson: fisticuffs in #openstack-keystone later? 18:05:51 <ayoung> "Two man enter, one man get extra work!" 18:05:53 <morganfainberg> just update the wiki and let me know who it ends up being. 18:06:02 <dolphm> morganfainberg: ++ 18:06:07 <bknudson> dolphm: you can take it. I'm busy enough. 18:06:18 <dolphm> bknudson: lol alrighty 18:06:18 <bknudson> I'll try to do more reviews in stable 18:06:21 <morganfainberg> #topic Mapping engine - do we need some enhancements? 18:06:26 <morganfainberg> marekd o/ 18:06:32 <marekd> hello 18:06:42 <bknudson> plus I can never figure out the test failures. 18:06:49 <ayoung> morganfainberg, I think we need, at least the ability to split the REMOTE_USER value into userid and domain 18:06:53 <dolphm> bknudson: that's the hard part 18:06:58 * morganfainberg needs to also do more stable reviews. 18:07:04 <ayoung> jamielennox, good morning! 18:07:06 <marekd> sorry 18:07:12 <marekd> emergency 18:07:15 <morganfainberg> no worries 18:07:19 <jamielennox> ayoung: mmm 18:07:27 <stevemar> i think marekd is running away? 18:07:31 <morganfainberg> i can answer the question - we do need enhancements. 18:07:32 <marekd> so, during the summit i heard some plans and opinions about 18:07:34 <marekd> mapping engine 18:07:47 <marekd> stevemar: i am not running away 18:07:53 <bknudson> here comes that singularity 18:08:01 <marekd> e.g. https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting there was a thread here 18:08:18 <marekd> i remember nkinder was mentioning something about dynamic group creation 18:08:35 <rodrigods> marekd, ++ 18:08:40 <marekd> i see everybody have some plans and opinions and i'd like to gather them and try to work something out. 18:08:48 <morganfainberg> marekd, more specifically group-passthrough, so it was possible to just pass group info across not need a keystone group every time 18:08:53 <bknudson> etherpad? 18:08:55 <ayoung> ++ 18:08:57 <ayoung> that too 18:09:01 <morganfainberg> etherpad would be good. 18:09:32 <marekd> <wip> 18:09:40 <marekd> https://etherpad.openstack.org/p/mapping-engine-enhancements 18:09:53 <morganfainberg> #link https://etherpad.openstack.org/p/mapping-engine-enhancements 18:10:00 <marekd> morganfainberg: thanks. 18:10:27 <rodrigods> we want to help with that as well 18:10:32 <dstanek> I just worry about going too far here. like the dev thread suggested 18:10:33 <rodrigods> cc vsilva_ 18:10:44 <marekd> rodrigods: fine, thanks, but we still don't have a clear roadmap :-) 18:11:01 <rodrigods> marekd, we can also help with the roadmap =p 18:11:02 <morganfainberg> #action please contribute information to the etherpad, we can distill out the requirements and what is really needed and what would be too much. 18:11:08 <ayoung> #link https://wiki.openstack.org/wiki/Summit/Kilo/Etherpads#Keystone 18:11:19 <topol> concrete use cases would be nice 18:11:39 <marekd> topol: ++ 18:11:43 <morganfainberg> marekd, i have some use-cases for enhancements that "make sense" afaict, but they should be easy sells compared to some of the other things. 18:11:51 <ayoung> topol, See the complexit y from gyee's X509 spec he pulled: bascially, the subject of a cert 18:11:54 <morganfainberg> but yes, include the use-case in the etherpad 18:12:01 <marekd> morganfainberg: ok, thanks. 18:12:11 <ayoung> topol, also, REMOTE_USER as set by mod_auth_kerb 18:12:16 <ayoung> and the REMOTE_UISER value from SAML 18:12:32 <morganfainberg> ayoung, I vote we make the variable REMOTE_UISER in all cases now 18:12:32 <stevemar> ayoung that should work now.. with https://review.openstack.org/#/c/133037/ merged 18:12:44 <ayoung> morganfainberg, can't 18:12:51 <morganfainberg> ayoung, darn 18:12:52 <morganfainberg> anyway 18:12:54 <marekd> morganfainberg: and to be honest i don't know much about nkinder's proposition 18:12:57 <ayoung> for example, REMOTE_USER might not be the right value from mod_ssl 18:12:57 <marekd> regarding groups 18:13:08 <morganfainberg> marekd, we'll get details outlined in the etherpad 18:13:11 <marekd> i was hoping he would explain it here pro publico bono :-) 18:13:16 <ayoung> #link http://www.freeipa.org/page/Environment_Variables 18:13:21 <marekd> morganfainberg: allrighty. 18:13:27 <ayoung> And SAML is pretty much An LDAP query 18:13:34 <marekd> does it all deserve a spec for the kilo release? 18:13:35 <morganfainberg> marekd, it should be straight forward once it's laid out like that. 18:13:50 <morganfainberg> marekd, likely we will want a spec to encompass the changes. 18:14:02 <morganfainberg> but lets see what comes from the ehterpad first 18:14:08 <stevemar> yeah, especially if it's new functionality/feature 18:14:09 <morganfainberg> might be that we say "nope not going to happen" 18:14:12 <stevemar> and not just a bug fix 18:14:20 <morganfainberg> for $REASONS$ 18:14:22 <ayoung> probably the most common case is split an env var into two pieces, one is username or userid, the other is domain info 18:14:26 <marekd> engine is not broken as is... 18:14:32 <marekd> it simply may lack some features 18:14:53 <marekd> ayoung: i'd still concatenate it 18:14:55 <morganfainberg> marekd, correct. thats why i think we need to see the details and then write a spec to encompass the enhancements - clearly detailing the SoW/scope 18:15:05 <marekd> morganfainberg: great 18:15:15 <marekd> i can take care of the specs if we need it. 18:15:19 <ayoung> #link https://jdennis.fedorapeople.org/doc/mapping.pdf John Dennis' proposal 18:15:22 <morganfainberg> it will help us prevent things sneaking in that are "bad ideas"™ 18:15:48 <marekd> ayoung: they made more powerful engine 18:16:07 <marekd> ok, if anybody else has some usecases please add it to the etherpad 18:16:19 <ayoung> marekd, "They?" he's on my team. He did this all by himself. jdennis kindof been through this once or twice before 18:16:29 <morganfainberg> I am going to say right now we will for this cycle at least *not* be making the mapping engine configurable - we will maintain 1 mapping engine, even if it means swapping out what we have whole-sale. I don't want to fight with pluggable mapping engines at this point. too many ways for things to be exposed in bad ways 18:16:53 <topol> morganfainberg +++ 18:16:59 <marekd> ayoung: ok, great, jdennis, *himself*, from ayoung's team has made a much powerful engine. 18:17:02 <ayoung> I think that is fine 18:17:09 <dstanek> morganfainberg: ++ seems dangerous if done wrong 18:17:33 <ayoung> he was doing it for opendaylight. So one benefit to his approach is it would work with another open source project 18:17:37 <lbragstad> I'm on board with that 18:17:51 <marekd> ayoung: i know. I really appreciated his e-mails 18:18:04 <marekd> and it was *really* meritorical stuff. 18:18:15 <bknudson> seems like if there's an existing mapping tool we should use it rather than try to develop our own 18:18:19 <marekd> that's why i want to drag your attention 18:18:22 <ayoung> I would say, though, that he lacks the APIs we need for management. Those are really part of the Federation spec today, and assume the existing mapping language 18:18:34 <morganfainberg> ayoung, and it might make sense to be compatible - my only hard line is i don't want pluggable engines for many many reasons, mostly around security and making the features solid before we open it up to massive headaches. 18:18:40 <ayoung> bknudson, technically, ours existed first 18:18:41 <marekd> and answer the questions: do we need something new? some small fixups, or maybe we should take John's engine? 18:18:56 <morganfainberg> also, his iirc is java and would need to be ported to python if we used it. 18:19:02 <ayoung> he wrote his this year as part of his work on Open Daylight. 18:19:13 <morganfainberg> marekd, ++ those are exactly the questions we should answer. 18:19:17 <jamielennox> if nothing else that doc is awesome 18:19:18 <topol> java ugghh 18:19:28 <ayoung> git clone git://fedorapeople.org/~jdennis/federated-mapping.git 18:19:34 <morganfainberg> and would john's engine "fix" the other needs or would we need to expand it as well. 18:19:47 <morganfainberg> s/"fix"/"meet" 18:19:49 <ayoung> looking to see if he did the python yet 18:19:57 <bknudson> maybe we can make the python version an openstack project 18:20:13 <morganfainberg> bknudson, I'd support that. 18:20:15 <marekd> bknudson: really? 18:20:22 <morganfainberg> if we go down that path 18:20:22 <stevemar> we're just dealing with arrays and dicts, it shouldn't be hard to port it over 18:20:28 <marekd> bknudson: morganfainberg like a standalone project? 18:20:32 <rodrigods> marekd, makes sense, since it's goiing to be pluggable 18:20:33 <bknudson> it's pretty common... I think this was done with some other python projs that openstack uses. 18:20:45 <morganfainberg> marekd, it would be a lib like policy 18:20:49 <bknudson> sqlalchemy-migrate for example 18:20:51 <marekd> morganfainberg: ok 18:21:00 <marekd> i could probably give a helping hand with that. 18:21:02 <morganfainberg> marekd, not a "stand alone service" 18:21:07 <dstanek> let's just start simple on the etherpad with requirements and gaps - then this discussion will be more valuable 18:21:15 <joesavak> +1 dstanek 18:21:15 <marekd> dstanek: ++ 18:21:16 <morganfainberg> but yes, lets get requirements in the etherpad 18:21:18 <ayoung> there is python code there 18:21:30 <joesavak> or a spec to detail why this approach is needed and what problems it solves 18:21:55 <morganfainberg> ayoung, if you could poke john to look at the etherpad as well and comment re his mapping engine once we have the use-cases 18:22:05 <ayoung> will do 18:22:07 <morganfainberg> see where we land. 18:22:38 <morganfainberg> #action ayoung to talk to john dennis about mapping engine and use-cases from etherpad: https://etherpad.openstack.org/p/mapping-engine-enhancements once populated with requested enhancements 18:23:00 <rodrigods> morganfainberg, me and vsilva_ will be on top of that as well 18:23:03 <morganfainberg> joesavak, thats the point of the etherpad. 18:23:10 <joesavak> woot 18:23:14 <morganfainberg> joesavak, post meeting need to bug you fyi. 18:23:18 <morganfainberg> ok moving on. 18:23:23 <morganfainberg> #topic K2K federation - status 18:23:27 <morganfainberg> marekd, all you again! :) 18:23:35 <marekd> allrighty, was hoping to see gyee here 18:23:40 <gyee> here 18:23:46 <marekd> gyee: oh, sorry! 18:23:47 <gyee> sorry I got stuck in traffic 18:23:48 <joesavak> magic. 18:23:57 * morganfainberg waves hands "magic" 18:24:12 <marekd> so, K2K 18:24:25 <joesavak> hoping to see megan fox here 18:24:30 <morganfainberg> joesavak, shh 18:24:30 <marekd> here! 18:24:39 <gyee> ++ :) 18:25:19 <marekd> so, K2K I wanted to ask if any of you had some experience or tried it out. It was marked as experimental in Juno and I feel there should be some fixes. 18:25:29 <marekd> i know rodrigods make a setup without security 18:25:34 <gyee> marekd, we did and it works! 18:25:36 <morganfainberg> marekd, i am planning on setting up a multi-way federated cloud test env this week. 18:25:42 <marekd> i know gyee and Sam were playing with that 18:25:49 <marekd> gyee: did you turn off crypto? 18:25:50 <morganfainberg> so i expect i'll also have feedback on it. 18:25:55 <bknudson> Is K2K still marked as experimental? 18:25:59 <gyee> no 18:26:02 <morganfainberg> bknudson, yes. 18:26:09 <rodrigods> gyee, marekd, AFAIK, Sam disabled security as well 18:26:12 <morganfainberg> bknudson, i hope it will move to "stable" this cycle. 18:26:20 <rodrigods> at least was the last update he sent to me 18:26:23 <marekd> gyee: so it worked with a proper assertion signature validation? 18:26:23 <gyee> I do have a question on federation though, with the way it works, we have to use different URL for different providers 18:26:27 <morganfainberg> bknudson, but we're just starting to get drive-time on it now. 18:26:38 <marekd> rodrigods: that's what he told me . 18:26:39 <bknudson> we need tempest tests! 18:26:42 <gyee> yes 18:26:49 <morganfainberg> bknudson, ++ that is part of why i'm setting up the test env 18:26:49 <leonchio_> rodrigods, marekd, yes, that's right, I have the signature validation disabled 18:26:56 <marekd> leonchio_: :/ 18:27:00 <rodrigods> =( 18:27:07 <gyee> because of the way redirect works 18:27:08 <lbragstad> morganfainberg: which test env specifically? 18:27:23 <rodrigods> leeantho, did you try using the same issuer for both IdP and SP? 18:27:24 <marekd> also 18:27:34 <morganfainberg> lbragstad, i'm going to be standing up a multi-node / cloud env with k2k + other federation. specifically so we can outline how we're testing it 18:27:37 <rodrigods> leonchio_, * 18:27:40 <gyee> oh, it was disabled? 18:27:44 <marekd> AFAIR there were some plans of different regions list depending on who is having a local token 18:27:47 <lbragstad> morganfainberg: ah, that's right... 18:27:49 <marekd> stevemar: recall anything like that? 18:27:54 <morganfainberg> lbragstad, infra can do multi-node environments now. (but it might be expirimental still) 18:27:58 <rodrigods> we are missing the region in the catalog as well 18:28:07 <marekd> rodrigods: hmmmmm, are we? 18:28:10 <rodrigods> yep 18:28:14 <marekd> last time i tried it I think i had it 18:28:30 <rodrigods> not for me, here 18:28:41 <marekd> joesavak: we don't want *any user* to see all the clouds that one can burst into, do we? 18:28:44 <marekd> stevemar: ^^ 18:28:56 <marekd> this should also be fixed, right? 18:29:05 <morganfainberg> marekd, i think that can be fixed with the filtering? 18:29:19 <morganfainberg> leverage endpoint filtering and expand it to region filtering? 18:29:25 <joesavak> marekd - they should be able to pull a list of trusted service providers so they know which provider to reference when getting the saml assertion from the local cloud to pass to other (service provider) clouds 18:29:28 <stevemar> marekd, i don't think we put any regions in the catalog right now 18:29:45 <rodrigods> stevemar, ++ 18:30:13 <marekd> joesavak: but all the SPs ? 18:30:15 <gyee> but we can group endpoints based on regions 18:30:18 <jamielennox> stevemar: i thought we do 18:30:36 <marekd> stevemar: rodrigods i will check it, maybe i messed sth up. 18:30:36 <gyee> its an attribute of endpoint isn't it? 18:30:48 <joesavak> marekd - perhaps rbac, or relating which domains can access which SPs is needed... 18:31:02 <stevemar> oh i didn't think about filtering at all 18:31:08 <joesavak> i can see that some restriction would be good - but I think it's supposed to be a list-all right now 18:31:14 <jamielennox> also regarding having SPs still feel that it's a bad idea to put anything in the catalog that can't be accessed with the current token 18:31:17 <marekd> stevemar: morganfainberg but isn't filtering a client-initiated action? 18:31:26 <morganfainberg> marekd, no endpoint filtering is server side 18:31:36 <gyee> https://github.com/openstack/keystone/blob/master/keystone/catalog/schema.py#L73 18:31:38 <marekd> morganfainberg: on what basis? 18:31:39 <morganfainberg> it doesn't prevent use of a target 18:31:49 <marekd> joesavak: aha, ok 18:31:55 <marekd> joesavak: i thought you would be concerned. 18:31:58 <morganfainberg> marekd, but it's a cloud provider can filter endpoints per project etc 18:32:08 <morganfainberg> for now i think filtering out targets is an enhancement 18:32:16 <morganfainberg> not a design of the current system 18:32:20 <morganfainberg> aha, joesavak ++ 18:32:40 <marekd> one last thing. 18:32:51 <marekd> currently we add only one url to a region 18:33:05 <marekd> which is a SP URL where the assertion should be send. 18:33:07 <joesavak> a little concerned - but should be manageable - via RBAC or even endpoint assignment to identity 18:33:41 <gyee> joesavak, security is a manageable condition :D 18:33:48 <morganfainberg> gyee, hah 18:33:54 <joesavak> implementors choice. ; ) 18:34:00 <marekd> but this means, a client needs to know another URL apriori, an endpoint where he should go once authenticated. 18:34:08 <rodrigods> marekd, ++ 18:34:17 <marekd> and it put a lot of concern on people. 18:34:21 <rodrigods> yeah, that's a tricky point 18:34:25 <marekd> yes 18:34:40 <marekd> so I suggest we add two url to the bursting regions 18:34:40 <rodrigods> since we do not have a real relay_state =P 18:34:51 <morganfainberg> marekd, fallback url? 18:35:01 <marekd> you mean? 18:35:12 <joesavak> one being the foreign keystone URL and the other being what? 18:35:23 <rodrigods> joesavak, the auth URL 18:35:29 <marekd> joesavak: let's say the protected url is sp-keystone.com/secure 18:35:38 <morganfainberg> rodrigods, but that should be discoverable? 18:35:48 <marekd> joesavak: but the assertion is gonna be sent to sp-keystone.com/shibboleth.sso/ecp 18:36:03 <rodrigods> morganfainberg, I need to know how the SP called my IdP 18:36:13 <rodrigods> which should be a out-of-band operation 18:36:14 <marekd> and today we configure the latter only 18:36:14 <rodrigods> I think 18:36:43 <joesavak> response from assertion call is a scoped token, right? So can I get the auth URL from that scope? 18:36:56 <joesavak> GET v3/endpoints -H X-Auth-Token: $scopedToken 18:37:17 <joesavak> or unscoped even 18:37:17 <rodrigods> joesavak, that's exactly the URL we need to go to get the scoped token 18:37:34 <marekd> joesavak: is this GET to IdP or SP ? 18:37:42 <joesavak> GET to SP 18:37:48 <rodrigods> v3/identity_providers/<idp_id>/protocols/<protocol>/auth 18:37:54 <marekd> how do you know this url 18:38:12 <marekd> no, wait. 18:38:18 <morganfainberg> marekd, isn't that the URL in the region? 18:38:39 <rodrigods> morganfainberg, the one in the region is the SP url 18:38:43 <marekd> morganfainberg: no, the one in the region is for POST /Shibboleth.sso/ADFS (e.g) where you send your assertion 18:38:44 <rodrigods> like Shibboleth.sso/ECP 18:39:24 <rodrigods> so marekd wants another field to store v3/identity_providers/<idp_id>/protocols/<protocol>/auth 18:39:26 <rodrigods> right? 18:39:28 <marekd> and then, usually SP responds with HTTP 302 and location set to keystone.example.com instead of keystone.example.com/v3/OS-FEDERATION/identity_providers/<idp>protoc/.../auth 18:39:33 <marekd> rodrigods: yes 18:39:51 <marekd> it's all because the workflow is so called IdP initiated authentication 18:39:55 <joesavak> Gotcha - because we made the protocols extensible - the URL may differ outside of the known keysotne contract for assertion processing - so 2 URLs are needed 18:40:00 <morganfainberg> ah 18:40:05 <marekd> joesavak: exacly! 18:40:07 <rodrigods> joesavak, ++ 18:40:09 <ayoung> 20 minutes left 18:40:10 <gyee> jamielennox, how's that going to work with keystoneclient? 18:40:12 <morganfainberg> that seems reasonable 18:40:23 <morganfainberg> but it will need client side work i think 18:40:24 <gyee> I don't think that auth url is discoverable 18:40:25 <joesavak> Ok , I'm ok with that - federationURL and keystoneURL (optional) 18:40:54 <marekd> joesavak: yeah. 18:41:01 <rodrigods> joesavak, would easy a lot to automate the clients 18:41:13 <ayoung> is this for the Horizon use case? 18:41:36 <jamielennox> gyee: i think it's specific to the federation auth plugin 18:42:05 <joesavak> rod - didn't understand your comment 18:42:06 <gyee> jamielennox, I mean it doesn't seem to follow the usual client workflow 18:42:21 <jamielennox> gyee: having all of this stuck in a region doesn't follow the regular workflow 18:42:27 <marekd> joesavak: he meant that clients would need to figure out one extra utl 18:42:28 <bknudson> we could put the auth urls in the json-home document somehow 18:42:30 <marekd> url 18:42:34 <joesavak> yup 18:42:36 <marekd> joesavak: they could work fully automated. 18:42:37 <rodrigods> marekd, joearnold exactly 18:42:44 <jamielennox> i tried to break the region == SP think prior to kilo but didn't get there in time 18:42:45 <rodrigods> joesavak, * 18:43:13 <morganfainberg> jamielennox, why is it wrong to assume a region == SP ? 18:43:21 <morganfainberg> in this case? 18:44:07 <jamielennox> 1. makes it confusing with how people currently use regions 2. breaks the concept that everything in the service catalog can be accessed with the current token 18:44:29 <jamielennox> (from memory #2 still applies - maybe changed since then) 18:44:36 <gyee> morganfainberg, the client discovery code won't work as is 18:44:38 <morganfainberg> except the region *only* has a url. 18:44:45 <morganfainberg> not endpoints in this case. 18:44:56 <marekd> morganfainberg: joesavak one thing, just remembered. 18:45:09 <marekd> shouldn't we also add some *another* parameterer to the region? 18:45:17 <marekd> like the federated protocol? 18:45:18 <morganfainberg> ok this needs more discussion - we can enhance/change this but we have other topics to get to in this meeting. 18:45:21 <jamielennox> morganfainberg: which seems like we shoehorned something into a current resource with edge cases rather than just make a new resource 18:45:42 <morganfainberg> we can make this better since k2k is expirimental if it's really warranted 18:45:43 <marekd> today we have only saml2, but tommorow regions/SP A,B,C will be saml2 only, but M,N OIDC 18:45:47 <morganfainberg> this is the point of experimental 18:45:53 <jamielennox> morganfainberg: we could have made an SP resource and put that into the catalog 18:45:53 <morganfainberg> but the case needs to be really strong. 18:45:54 <marekd> how am i going to be able to distinguish? 18:46:33 <morganfainberg> marekd, so i think we should evaluate shifting to an SP resource or similar 18:46:39 <marekd> jamielennox: that would be not a bad idea 18:46:40 <jamielennox> marekd: at this point you're taking over the region concept and i would vote to making a new SP resource in which all of this makes sense 18:46:41 <marekd> morganfainberg: ++ 18:46:42 <gyee> marekd, if SP is a resource in SC, we could filter it 18:46:44 <morganfainberg> or at least a clear way to identify a "Region" is a resource 18:46:50 <joesavak> yeah - we should have the protocol the SP uses to be discoverable. 18:46:50 <morganfainberg> or whatever 18:46:54 <morganfainberg> but yes. 18:47:06 <morganfainberg> lets evaluating making that shift before we stabilize k2k 18:47:13 <marekd> morganfainberg: so, whole new api for adding service providers, just like we have IdP now? 18:47:21 <marekd> stevemar: joesavak ^^ ? 18:47:24 <morganfainberg> #action Evaluate Service Provider as part of the Catalog 18:47:27 <joesavak> +1 18:47:35 <ayoung> Heh...that was inthe origianl Kent proposal 18:47:46 <morganfainberg> ayoung, funny how things come full circle 18:47:51 <morganfainberg> ok #topic HM releases planning 18:47:53 <morganfainberg> erm 18:47:56 <morganfainberg> #topic HM releases planning 18:48:00 <raildo> \o 18:48:03 <morganfainberg> raildo, rodrigods o/ 18:48:06 <rodrigods> o/ 18:48:12 <raildo> So, this is our planning for HM in Kilo: 18:48:13 <ayoung> release early release often 18:48:23 <raildo> Kilo-1 the base implementation about HM merged and the new specs about HM improvements https://review.openstack.org/#/c/135309/ and the Reseller Use case (I'm writing it) merged too. 18:48:29 <gyee> ayoung ++ 18:48:43 <morganfainberg> raildo, thats a good target 18:48:49 <raildo> Kilo-2 the entire code about HM and Reseller use case committed. 18:48:56 <ayoung> ++ 18:48:58 <rodrigods> so, for Kilo-1 18:49:04 <rodrigods> please review https://review.openstack.org/#/c/117786/ and the following patches 18:49:05 <rodrigods> =) 18:49:12 <raildo> rodrigods, ++ 18:49:13 <morganfainberg> raildo, once the base code is merged we will need to resolve the rebase against master to topic branch 18:49:22 <morganfainberg> then we do a simple topic branch -> master merge 18:49:42 <raildo> morganfainberg, yes, i believe that we can do that in kilo-1 too 18:49:44 <morganfainberg> should be straight forward. 18:49:45 <morganfainberg> yes 18:49:51 <rodrigods> really wanted it to land before henrynash refactoring 18:49:51 <rodrigods> hehe 18:49:59 <henrynash> rodigods: eek 18:50:01 <morganfainberg> rodrigods, race to rebase. 18:50:07 <raildo> hah 18:50:21 <raildo> and for Kilo-3 just reviews and resolve some bugs related to HM (if it appears :) ) 18:50:38 <morganfainberg> makes sense 18:50:43 <raildo> So, We have this Wiki about HM Meeting: 18:50:47 <henrynash> rodigods: we should just talk about which way makes the most sense 18:50:47 <raildo> #link https://wiki.openstack.org/wiki/Meetings/HierarchicalMultitenancyMeeting 18:50:56 <raildo> (just follow the Keystone pattern) 18:51:00 <rodrigods> the idea is that Kilo-2 code won't be a feature branch anymore 18:51:08 <morganfainberg> rodrigods, that is my hope 18:51:20 <raildo> the HM meetings on Friday at 16:00 UTC here in #openstack-meeting I invite everyone to participate 18:51:26 <raildo> :) 18:51:43 <ayoung> raildo, do what we do at the start of this meeting: 18:51:47 <henrynash> rodigods: my go 18:52:03 <ayoung> paste in the names of the keystone contributors that you want there 18:52:08 <morganfainberg> ok so we can quickly get to the last couple topics we have. 18:52:09 <rodrigods> ayoung, ++ 18:52:11 <morganfainberg> we need to keep moving. 18:52:12 <raildo> ayoung, sure 18:52:25 <raildo> morganfainberg, ok 18:52:27 <morganfainberg> #topic Oslo-Incubator Policy Graduation to Keystone Program 18:52:36 <morganfainberg> We are adopting the policy lib 18:52:44 <gyee> w00t! 18:52:48 <ayoung> w00t 18:52:55 <morganfainberg> it'll be run like pycadf (separate core team), if you're not interested as keystoen-core you wont need to be on core 18:52:59 <ayoung> and we are waiting on fileutils to move to oslo.utils, 18:53:01 <morganfainberg> though i hope everyone will want to be core on it 18:53:07 <morganfainberg> ayoung, we decided to wait? 18:53:15 <morganfainberg> anyway rodrigods is writing the spec 18:53:15 <rodrigods> ayoung, morganfainberg not that I'm aware of 18:53:18 <rodrigods> yep 18:53:23 <morganfainberg> the proposed name is pycpre 18:53:28 <ayoung> morganfainberg, ah...we can go ahead without that? Good! 18:53:30 <morganfainberg> since it can't be in the oslo namespace 18:53:32 <morganfainberg> ayoung, we can. 18:53:35 <rodrigods> hmm missed the name choice part 18:53:46 <ayoung> pycpre was a joke 18:53:50 <morganfainberg> ayoung, lol ;) 18:53:52 <ayoung> but someone took it seriously 18:53:54 <morganfainberg> sorry skipped the :) 18:54:01 <ayoung> cloud policy rules engine 18:54:05 <gyee> :| 18:54:18 * topol The Keystone empire grows..... 18:54:24 <ayoung> srsly we need a name 18:54:24 <dolphm> rodrigods: is that spec already published somewhere? 18:54:26 <morganfainberg> in all seriousness i want a name that isn't "keystone" namespaced 18:54:31 <rodrigods> would be nice a name to pronounce without being an acronym 18:54:33 <dolphm> topol: AAA 18:54:35 <ayoung> python-policy might be too over-reaching 18:54:39 <rodrigods> dolphm, not yet, will publish in keystone-specs 18:54:44 <topol> dolphm, indeed 18:54:46 <morganfainberg> and it can't be oslo namespaced 18:54:57 <gyee> congress? 18:55:00 <morganfainberg> topol, i swear dolph and I didn't discuss this 18:55:00 <gyee> just kidding! 18:55:01 <ayoung> cyprus? 18:55:04 <morganfainberg> anyway 18:55:05 <morganfainberg> think of names 18:55:13 <morganfainberg> discuss w/ rodrigods and in the spec 18:55:14 <topol> gyee..... really??? 18:55:26 <gyee> hey now 18:55:32 <morganfainberg> we'll continue this convo elsewhere 18:55:38 <morganfainberg> #topic Policy Specifications 18:55:42 <morganfainberg> ayoung, o/ 18:55:44 <ayoung> Yay! 18:55:44 <morganfainberg> 5 mins 18:55:44 <pballand> gyee: good one ;) 18:55:45 <topol> I for one welcome my new Keystone overlords :-) 18:55:56 <ayoung> OK...so henrynash and I have been hashin a few things out 18:56:04 <henrynash> ayoung: :-) 18:56:05 <dolphm> pypolice 18:56:12 <morganfainberg> dolphm, hehe 18:56:29 <dolphm> pylice? 18:56:33 <rodrigods> pypo 18:56:36 <ayoung> probably the most contentious thing was the distinction between hierarchical roles (not the role assignments) and role groups 18:56:38 <rodrigods> haha 18:56:39 <topol> yuck 18:56:41 <joesavak> keystone cops and the pylice 18:56:41 <dolphm> rodrigods: ++ 18:56:42 <joesavak> lol 18:56:45 <dstanek> call it customs; they are strict and almost didn't let me back into the US 18:56:53 <dstanek> customs.policy 18:56:57 <henrynash> ayoung: are we on to a lost casue here? 18:57:03 <morganfainberg> hey 18:57:13 <morganfainberg> we need to cover this 18:57:15 <morganfainberg> it's important 18:57:16 <ayoung> nah, we are, aI thinkm, talking about two aspects of related but different things 18:57:19 <topol> they demanded dstanek shave his beard or stop rotting for the browns 18:57:22 <morganfainberg> jokes can go #openstack-keystone 18:57:27 <morganfainberg> post meeting. 18:57:29 <morganfainberg> ayoung, please continue 18:57:32 <dolphm> ayoung: can you reset the conversation back to the problem being solved? it's hard to follow along as the discussion seems to jump straight into the solutions and the steps required to implement those solutions 18:57:33 <ayoung> so we need a shorthand for identifying that one role (or someting) means multiple roles 18:57:46 <ayoung> ok...problems to be solved: 18:58:26 <ayoung> well, henrynash 's solving the problem of "domain specific roles" 18:58:26 <dstanek> topol: rotting is probably correct 18:58:45 <morganfainberg> they are closely related 18:58:55 <morganfainberg> and can/should co-exist 18:58:57 <henrynash> #link https://review.openstack.org/#/c/133855/ 18:59:06 <dolphm> ayoung: that's already a solution, not a use case 18:59:11 <samuelms> morganfainberg, ++ 18:59:46 <ayoung> dolphm, take that up with henry, not my problem to solve. I was starting with "how do we unify delegations into one mechanism" 18:59:51 <morganfainberg> dolphm, the #1 usecase is for a domain admin to be able to redelegate groupings of permissions to users on projects under the domain 19:00:02 <henrynash> dolphm: Problem 2: Different domains want to be able to create their own "roles" which are more meaningful to their users...but our "roles" are global and are directly linked to the rules in the policy file - something only a cloud operator is going to want to own. 19:00:13 <morganfainberg> henrynash, ++ 19:00:13 <henrynash> dolphm: Solution: Have some kind of domain-scoped role-group (or meta-role) that a domain owner can define, that maps to a set of underlying roles that a policy file understands. [As has been pointed out, what we are really doing with this is finally doing real RBAC, where what we call roles today are really capabilities and role-groups are really roles] 19:00:19 <ayoung> and delegate something more fine-grained than just the role I've been assigned 19:00:31 <dolphm> perfect, thanks 19:00:33 <morganfainberg> ayoung, thats the next piece you're advocating. 19:00:50 <ayoung> morganfainberg, it grew out of the constraints discussion 19:00:54 <morganfainberg> ayoung, we decided at the summit that first pass was coarse groupings to ensure we could solve the immidiate need 19:00:57 <morganfainberg> anyway 19:00:58 <morganfainberg> that is time 19:01:05 <morganfainberg> continue the topic in #openstack-keystone 19:01:07 <ayoung> I want to be able to say "this token can only do operation O" 19:01:09 <morganfainberg> and jokes. 19:01:13 <morganfainberg> #endmeeting